Elliptic Curve Diffie-Hellman Key Agreement using Curve25519 for Transport Layer Security (TLS)
draft-josefsson-tls-curve25519-02

The information below is for an old version of the document
Document Type Active Internet-Draft (individual)
Author Simon Josefsson 
Last updated 2014-01-08
Replaced by draft-ietf-tls-curve25519
Stream (None)
Formats plain text xml pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                       S. Josefsson
Internet-Draft                                                    SJD AB
Updates: 4492 (if approved)                              January 8, 2014
Intended status: Informational
Expires: July 12, 2014

    Elliptic Curve Diffie-Hellman Key Agreement using Curve25519 for
                     Transport Layer Security (TLS)
                   draft-josefsson-tls-curve25519-02

Abstract

   This document specifies the use of Curve25519 for key exchange in the
   Transport Layer Security (TLS) protocol.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 12, 2014.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Josefsson                 Expires July 12, 2014                 [Page 1]
Internet-Draft             Curve25519 for TLS               January 2014

1.  Introduction

   In [Curve25519], a new elliptic curve function for use in
   cryptographic applications was specified.  Curve25519 is a Diffie-
   Hellman function designed with performance and security in mind.

   [RFC4492] defines the usage of elliptic curves for authentication and
   key agreement in TLS 1.0 and TLS 1.1, and these mechanisms are also
   applicable to TLS 1.2 [RFC5246].  The use of ECC curves for key
   exchange requires the definition and assignment of additional
   NamedCurve IDs.  This document specify that value for Curve25519, as
   well as the minor changes in key selection and representation that
   are required to accomodate for Curve25519's slightly different
   nature.

   This document only describes usage of Curve25519 for ephemeral key
   exchange (ECDHE), not for use with long-term keys embedded in PKIX
   certificates (ECDH_ECDSA and ECDH_ECDSA).

   Curve25519 is not directly suitable for authentication, and thus not
   applicable for signing of e.g. PKIX certificates.  See draft-
   josefsson-eddsa-ed25519 for a parallel effort.

2.  Data Structures and Computations

   [RFC4492] and related standards [SEC1] define an elliptic curve over
   GF(p) as the set of solutions of the equation y^2 = x^3 + a x + b
   (commonly referred to as a short Weierstrass equation) with both x
   and y in GF(p), plus the point at infinity.  For each curve, a point
   G is fixed, generating a subgroup of large (prime) order N.

   The Diffie-Hellman key exchange is then defined as follows: each
   party generates a random number 1 <= d < N (the private key),
   computes Q = d G (the public key).  The parties exchange their public
   keys and compute the shared secret as Z = d Q_peer.

   [RFC4492] defines formats for representing public keys during the
   exchange, and extensions for negotiating the format used by each
   party and the underlying curve used by both parties.

   While retaining the same overall structure for the Diffie-Hellman key
   exchange, Curve25519 makes some changes to the way the curve equation
   is presented, private keys are selected and public keys exchanged, in
   order to ease secure and efficient implementations.

   The following subsections describe the differences between using
   Curve25519 and the curves defined by RFC 4492 for key exchange in
   TLS.

Josefsson                 Expires July 12, 2014                 [Page 2]
Internet-Draft             Curve25519 for TLS               January 2014

2.1.  Group negotiation and new NamedCurve type

   Curve negotiation is the same for Curve25519 as for other curves, but
   is restricted to using the named_curve type in the ServerKeyEchange
   message: the explicit_prime type is only suited to curves in short
   Weierstrass form.  This document adds a new NamedCurve value for
   Curve25519 as follows.

        enum {
             curve25519(TBD1),
        } NamedCurve;

   The curve is suitable for use with DTLS [RFC6347].

   Since Curve25519 is not designed to be used in signatures, clients
   who offer ECDHE_ECDSA ciphersuites and advertise support Curve25519
   in the elliptic_curves ClientHello extension SHOULD also advertise
   support for at least one other curve, suitable for ECDSA.  Servers
   MUST NOT select an ECDHE_ECDSA ciphersuite if the only common curve
   is Curve25519.

2.2.  Private key generation

   Private keys MUST be selected as specified in [Curve25519].  That is,
   private keys are 255-bits numbers with the following properties: the
   most significant bit (bit 254) is set, and the three least
   significants bits are cleared; the remaining bits (3 to 253 included)
   are chosen uniformly at random.

2.3.  Public key representation

   For ECDHE, public keys need to be transmitted in the
   ServerKeyExchange and ClientKeyExchange messages, both of which
   encode it as follows.

        struct {
            opaque point <1..2^8-1>;
        } ECPoint;

   For short Weierstrass curves, the contents of ECPoint.point are
   defined by X9.62.  For Curve25519, the ECpoint structure is the same,
   but the contents of ECPoint.point are encoded and interpreted as
   follows: each peer's public key is a number between 0 and 2^255 - 20
   included, and ECPoint.point contains the 32 bytes string representing
   this number in big endian convention.  (The receiving party can
   accept any 32 bytes string, interpreted as a 256 bits number, as
   public key: by design, no validation is needed.)

Josefsson                 Expires July 12, 2014                 [Page 3]
Internet-Draft             Curve25519 for TLS               January 2014

   Note that ECPoint.point differs from the definition of public keys in
   [Curve25519] in two ways: (1) the byte-ordering is big-endian, wich
   is more uniform with how big integers are represented in TLS, and (2)
   there is an additional length byte (so ECpoint.point is actually 33
   bytes), again for uniformity (and extensibility).

   Since only one point format can be used with Curve25519, which is
   distinct from the formats used by short Weierstrass curves, the
   contents of the "Supported Point Formats" extension is irrelevant for
   this curve.  Peers do not need to advertise support for the above
   point format in any way (nor check that the orther party supports it)
   when planning to use Curve25519 for key agreement: support for
   Curve25519 implies support for the above point format, which is tied
   to it.

2.4.  Shared secret computation

   As in the standard Elliptic Curve Diffie-Hellman protocol [SEC1],
   each party computes the shared secret by multiplying the peer's
   public value (seen as a point on the curve) by its own private value,
   except that in the case of Curve25519, only the x coordinate is
   computed.  This is merely an internal detail since [RFC4492]
   specifies that only the x coordinate is used as the premaster secret
   anyway.

   Again, in line with [RFC4492] and as a departure from the convention
   chosen in [Curve25519], the x coordinate is converted to a bytes
   string using big endian order.  As in [RFC4492], leading zeros are
   preserved, so the premaster secret is always a 32 bytes string with
   Curve25519.

3.  IANA Considerations

   IANA is requested to assign numbers for Curve25519 listed in
   Section 2.1 to the Transport Layer Security (TLS) Parameters registry
   EC Named Curve [IANA-TLS] as follows.

               +-------+-------------+---------+-----------+
               | Value | Description | DTLS-OK | Reference |
               +-------+-------------+---------+-----------+
               |  TBD1 |  curve25519 |    Y    |  This doc |
               +-------+-------------+---------+-----------+

                                  Table 1

4.  Security Considerations

Josefsson                 Expires July 12, 2014                 [Page 4]
Internet-Draft             Curve25519 for TLS               January 2014

   The security considerations of [RFC5246] and most of the security
   considerations of [RFC4492] apply accordingly.

   Curve25519 was specifically designed so that secure, fast
   implementations are easier to produce.  In particular, no validation
   of public keys is required, and point multiplication (using only the
   x coordinate) can be efficiently [EFD] computed with a Montgomery
   ladder using a constant number of operations (since the actual bit
   length of the private key is fixed), which avoids a number of side-
   channel attacks.  However, in the fight against side-channel leaks,
   implementors should also pay attention to the following points:

   1.  In the Montgomery ladder, avoid branches depending on secret data
       (the individual bits of the secret key);

   2.  In the same place, avoid memory access patterns dependant on
       secret data;

   3.  Either avoid data-dependant branches and memory access patterns
       in the underlying field arithmetic (that is, the bignum
       arithmetic, including the mod 2^255-19 operation) or randomize
       projective (that is, x/z) coordinates by multiplying both x and z
       with the same 256-bit value, chosen at random.

   Some of the curves defined in [RFC4492], namely all whose name ends
   with r1 or r2, have been advertised as pseudo-randomly chosen, but
   the lack of verifiability of the seeds has raised concerns that the
   those curves might be weaker than expected aginst some attackers.
   The Koblitz curves (those whose name end with k1) of [RFC4492] do not
   suffer from this problem, but are char2 curves and there seems to be
   a consensus that curves over prime fields are a safer bet against
   future progress in discrete log computation.  The Brainpool curves
   [RFC7027] are prime curves generated in a fully verifiable pseudo-
   random way to avoid manipulation concerns, but do not perform as well
   due to the use of pseudo-random primes.  Curve22519 is also chosen in
   a fully verifiable way, but offers better performances (better than
   the curves form [RFC4492]) while facilitating secure implementations
   as mentioned above.  See also [SafeCurves].

5.  References

5.1.  Normative References

   [Curve25519]
              Bernstein, J., "Curve25519: new Diffie-Hellman speed
              records", WWW
              http://cr.yp.to/ecdh/curve25519-20060209.pdf, February
              2006.

Josefsson                 Expires July 12, 2014                 [Page 5]
Internet-Draft             Curve25519 for TLS               January 2014

   [RFC4492]  Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B.
              Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites
              for Transport Layer Security (TLS)", RFC 4492, May 2006.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, January 2012.

5.2.  Informative References

   [IANA-TLS]
              Internet Assigned Numbers Authority, "Transport Layer
              Security (TLS) Parameters", <http://www.iana.org/
              assignments/tls-parameters/tls-parameters.xml>.

   [SafeCurves]
              Bernstein, D. and T. Lange, "SafeCurves: choosing safe
              curves for elliptic-curve cryptography.", January 2014,
              <http://safecurves.cr.yp.to/>.

   [EFD]      Bernstein, D. and T. Lange, "Explicit-Formulas Database:
              XZ coordinates for Montgomery curves", January 2014,
              <http://www.hyperelliptic.org/EFD/g1p/auto-montgom-
              xz.html>.

   [RFC7027]  Merkle, J. and M. Lochter, "Elliptic Curve Cryptography
              (ECC) Brainpool Curves for Transport Layer Security
              (TLS)", RFC 7027, October 2013.

   [SEC1]     Certicom Research, , "Standards for Efficient Cryptography
              (SEC) 1", September 2000.

Appendix A.  Test vectors

   This section provides some test vectors for example Diffie-Hellman
   key exchanges using Curve25519.  The following notations are used:

   d_A  the secret key of party A

   x_A  the public key of party A

   d_B  the secret key of party B

   x_B  the public key of party B

Josefsson                 Expires July 12, 2014                 [Page 6]
Internet-Draft             Curve25519 for TLS               January 2014

   x_S  the shared secret that results from completion of the Diffie-
      Hellman computation, i.e., the hex representation of the pre-
      master secret.

   The field elements x_A, x_B, and x_S are represented as hexadecimal
   values using the FieldElement-to-OctetString conversion method
   specified in [SEC1].

        d_A = 5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF51
              7369C660
        d_B = 47DC3D214174820E1154B49BC6CDB2ABD45EE95817055D255AA35831
              B70D3260
        x_A = 057E23EA9F1CBE8A27168F6E696A791DE61DD3AF7ACD4EEACC6E7BA5
              14FDA863
        x_B = 6EB89DA91989AE37C7EAC7618D9E5C4951DBA1D73C285AE1CD26A855
              020EEF04
        x_S = 61450CD98E36016B58776A897A9F0AEF738B99F09468B8D6B8511184
              D53494AB

Author's Address

   Simon Josefsson
   SJD AB

   Email: simon@josefsson.org

Josefsson                 Expires July 12, 2014                 [Page 7]